Fortinet Authentication Bypass Vulnerabilities Exploited in the Wild
CISA has added two critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, affecting multiple Fortinet products—including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager—to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation. These flaws stem from improper verification of cryptographic signatures in the FortiCloud Single Sign-On (SSO) mechanism, allowing unauthenticated attackers to bypass authentication via specially crafted SAML messages. Fortinet has released advisories and patches, and CISA has set a remediation deadline for federal agencies, urging immediate patching or, if not possible, discontinuation of affected products until mitigations are in place.
The vulnerabilities are not enabled by default but can be activated during FortiCare registration unless administrators disable the relevant SSO toggle. Security researchers have observed exploitation attempts shortly after the patch release, highlighting the urgency for organizations to update their systems. CISA's guidance mandates compliance with BOD 22-01 for federal agencies, and all organizations using affected Fortinet products are strongly advised to apply patches or disable the vulnerable SSO feature to prevent unauthorized access to their networks.
Timeline
Dec 23, 2025
CISA orders federal agencies to remediate by Dec. 23
Following the KEV listing, CISA directed U.S. federal civilian agencies to remediate CVE-2025-59718 by 2025-12-23 under BOD 22-01 or discontinue use of affected products until fixed. Private-sector organizations were also urged to review exposure and patch immediately.
Dec 17, 2025
Proof-of-concept exploit code is published for the Fortinet flaws
By 2025-12-17, public proof-of-concept exploits for the Fortinet vulnerabilities had been posted on GitHub and were being validated against vulnerable targets. This added public technical detail to the ongoing exploitation story and increased urgency for defenders to patch or mitigate.
Dec 16, 2025
CISA adds CVE-2025-59718 to the KEV catalog
On 2025-12-16, CISA added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The agency highlighted the authentication-bypass risk in Fortinet products using FortiCloud SSO and elevated the issue for federal defenders.
Dec 12, 2025
Attackers begin exploiting Fortinet SAML SSO flaws in the wild
By 2025-12-12, attackers were observed actively exploiting the vulnerabilities to bypass FortiCloud SSO authentication with crafted SAML messages and gain administrative access. Reported post-compromise activity included targeting FortiGate admin accounts and exporting device configuration files containing hashed credentials and other sensitive data.
Dec 9, 2025
Fortinet releases patches for CVE-2025-59718 and CVE-2025-59719
On 2025-12-09, Fortinet released advisories, fixed versions, and mitigation guidance for two critical SAML SSO authentication-bypass flaws affecting multiple products including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. Fortinet recommended upgrading promptly and temporarily disabling FortiCloud SSO administrative login or restricting internet-facing management access.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
Critical Authentication Bypass Vulnerabilities in Fortinet Products via FortiCloud SSO
Fortinet has disclosed and patched two critical authentication bypass vulnerabilities, identified as CVE-2025-59718 and CVE-2025-59719, affecting multiple products including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. These flaws, rated with a CVSS score of 9.1, stem from improper verification of cryptographic signatures in the FortiCloud SSO login process. An unauthenticated attacker could exploit these vulnerabilities by sending a crafted SAML message, potentially gaining unauthorized administrative access if FortiCloud SSO is enabled. By default, FortiCloud SSO is disabled, but it is automatically enabled during FortiCare registration unless the administrator explicitly disables the relevant toggle. Fortinet has released fixed versions for all affected products and strongly recommends that organizations upgrade immediately. As a temporary mitigation, disabling the FortiCloud SSO login feature is advised until the upgrade can be completed. There is currently no evidence of exploitation in the wild, and no public proof-of-concept code is available, but the history of threat actors targeting Fortinet products underscores the urgency of patching. The vulnerabilities impact a range of versions across FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, with unaffected versions and upgrade paths detailed in the advisories.
1 months ago
Fortinet FortiCloud SSO Authentication Bypass Vulnerabilities
Fortinet disclosed two critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, affecting multiple products including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. These flaws allow unauthenticated attackers to bypass FortiCloud SSO login authentication by sending crafted SAML messages if the FortiCloud SSO feature is enabled. The vulnerabilities are not exploitable by default, but become active when devices are registered to FortiCare with administrative SSO enabled, increasing the risk for organizations that have enabled this feature. No exploitation in the wild or public proof-of-concept code has been reported as of the latest advisories, but security experts warn that threat actors are likely to target these vulnerabilities for initial access in the future. Fortinet and security researchers strongly recommend immediate upgrades to the latest fixed versions for all affected products to mitigate the risk. Detailed version guidance and mitigation steps have been provided to ensure organizations can secure their environments against potential attacks leveraging these flaws.
1 months ago
Critical Fortinet FortiCloud SSO Authentication Bypass Vulnerabilities
Fortinet has disclosed two critical vulnerabilities, CVE-2025-59718 and CVE-2025-59719, affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager products. These flaws stem from improper verification of cryptographic signatures in the FortiCloud SSO login feature, allowing unauthenticated attackers to bypass authentication by sending crafted SAML response messages. The vulnerabilities are remotely exploitable and impact a wide range of product versions, but the FortiCloud SSO login is not enabled by default unless the device is registered to FortiCare and the feature is explicitly activated. Administrators are strongly advised to disable the FortiCloud SSO login feature if enabled and to apply the latest security updates provided by Fortinet. Additional mitigations include using the device's GUI or CLI to turn off administrative login via FortiCloud SSO. Fortinet also addressed other vulnerabilities in the same advisory, but the authentication bypass flaws pose the most immediate risk due to their critical severity and potential for exploitation in the wild. Organizations should prioritize patching and review their FortiCloud SSO configurations to reduce exposure.
1 months ago